GDPR Data Breach Notification: 72-Hour Rule
Quick Answer
GDPR requires organizations to notify their supervisory authority of a personal data breach within 72 hours of becoming aware of it. If the breach poses a high risk to individuals, those individuals must also be notified without undue delay.
GDPR Breach Notification Requirements
Under Articles 33 and 34 of GDPR, organizations must notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach — unless the breach is unlikely to result in a risk to individuals' rights and freedoms. This is one of the strictest breach notification timelines in any data protection regulation.
Key Takeaways
- 72 hours to notify supervisory authority from the moment you become "aware" of the breach
- Individual notification required only for "high risk" breaches
- Data processors must notify controllers "without undue delay" after awareness
- Maintain a breach register documenting ALL breaches (even those not notified)
- Late or missing notification is itself a GDPR violation with separate penalties
The 72-Hour Timeline
Breach Response Timeline
Hour 0: Awareness
You become "aware" when you have a reasonable degree of certainty that a breach has occurred. Awareness starts the 72-hour clock.
Hours 0-24: Assess
Determine the nature and scope of the breach. What data was affected? How many individuals? What are the likely consequences?
Hours 24-48: Prepare notification
Draft supervisory authority notification. Gather required information. Determine if individual notification is needed.
Hour 72: Supervisory authority notification deadline
Submit notification to the lead supervisory authority. If you can't provide all details within 72 hours, you may provide information in phases.
Without undue delay: Individual notification
If the breach is high risk, notify affected individuals. No specific hour deadline, but "without undue delay" is interpreted strictly.
When to Notify the Supervisory Authority
You must notify the supervisory authority of any personal data breach unless it's "unlikely to result in a risk to the rights and freedoms of natural persons." In practice, most breaches involving personal data should be notified — the threshold for NOT notifying is high.
| Breach Type | Notify Authority? | Notify Individuals? |
|---|---|---|
| Encrypted data stolen (keys not compromised) | Likely no — data is effectively unusable | No |
| Employee accidentally emails PHI to wrong recipient | Yes — personal data disclosed to unauthorized person | Depends on sensitivity and whether recipient deleted it |
| Ransomware encrypts database with personal data | Yes — availability and potentially confidentiality breach | Yes if data was exfiltrated or high risk |
| SQL injection exposes customer records | Yes — unauthorized access to personal data | Yes — high risk to affected individuals |
| Lost unencrypted laptop with customer data | Yes — physical security breach | Yes if sensitive data was stored |
| Brief service outage (no data access) | Generally no — availability issue without data compromise | No |
Notification Content Requirements
Supervisory Authority Notification Must Include
- Nature of the breach (categories and approximate number of affected individuals/records)
- Name and contact details of the DPO or other contact point
- Description of likely consequences of the breach
- Description of measures taken or proposed to address the breach and mitigate effects
Individual Notification Must Include
- Description of the breach in clear and plain language
- Name and contact details of the DPO or other contact point
- Description of likely consequences
- Description of measures taken and recommendations for individuals to protect themselves
Breach Register Requirement
❗ Document ALL Breaches
Article 33(5) requires you to maintain a record of all personal data breaches — including those you determined did NOT require notification. The register must include the facts of the breach, its effects, and the remedial action taken. Supervisory authorities can request this register during investigations.
72 hours
Authority Notification
From awareness of breach
EUR 10M / 2%
Max Fine for Late Notification
For breach notification failures
65%
Breaches Notified Late
Estimated percentage missing 72-hour window
100K+
Breaches Notified Since 2018
To EU supervisory authorities
What counts as becoming "aware" of a breach?
Awareness means you have a reasonable degree of certainty that a security incident has compromised personal data. Discovering suspicious activity triggers an obligation to investigate promptly. Deliberately ignoring warning signs does not delay the awareness clock.
What if I can't determine the full scope within 72 hours?
Article 33(4) allows you to provide information in phases. You must still notify within 72 hours with whatever information you have, then supplement the notification as more details become available. Document why phased notification was necessary.
Which supervisory authority do I notify?
Notify the lead supervisory authority — typically the DPA in the member state where your main EU establishment is, or where the breach most affects individuals. If you're a non-EU company, notify the DPA of the member state where the most affected individuals are.
Is a data processor responsible for breach notification?
Data processors must notify the controller without undue delay after becoming aware of a breach. The controller is then responsible for notifying the supervisory authority and affected individuals. The processor should assist the controller with breach response.
Prepare Your Breach Response
Find tools that help you detect, assess, and report data breaches within GDPR timelines.
Browse GDPR Tools